Thumbcache Files - Foren-Ken/tech-journal GitHub Wiki
Thumbcache files are database files (.db) which contain data on the thumbnails for images on the Windows device. These Thumbcaches are generated when viewing image files from File Explorer or on the Desktop. They will not be generated if thumbnails are turned off or if the user did not view the thumbnail on the screen. This can be used as proof if someone views a certain image.
| Artifact | Uses |
|---|---|
| Original Image Location | This makes it so the location of the image on the devices is viewable. Can provide a great amount of forensic details depending on the situation. |
| Original Image Size | This can be used to determine how much space on the drive the image took. This can be used to determine if an image was modified or replaced. |
| Windows Machine Hostname | This aids in discovering on which device the image was seen. |
| Owner of the Image | This artifact determines which user had seen the image. |
| Dimension of the Image | This can be used to confirm which image was seen in case a new image was placed to replace the old one. |
| Time and day of when the thumbcache was created | This timestamp can be used to determine when the user first saw the image. |
| MAC Timestamps for the original Image | The original image's timestamps are visible using the Thumbcache database. This allows a timeline to be created for the original image, and allows investigators to discover if the timestamps to any file were modified. |
Thumbcache databases stored at this location:
C:\Users\<Username>\AppData\Local\Microsoft\Windows\Explorer
Windows.db/Windows.edb are located here:
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
The files above are necessary for two things:
- Thumbcache databases contain the thumbcache data which is used to conduct forensics.
- Windows.db/edb are required since they convent the hashes which the thumbcache database files have into actual file paths to be anaylzed. Without Windows.db/edb, an investigator would be required to analyze the entire drive to look for the matching images. If the image was deleted, the investigator would not know until the entirety allocated space is viewed.
Thumbcache viewer can be downloaded here
This tool provides the ability, through a GUI, to load Thumbcache databases and apply the Windows database file to decode it.
How to load Thumbache files
Files > Open.. > Select Target Files
How to load Windows.edb/db:
Tools > Map File Paths > Load Windows Search Database > Place Windows database file into "Windows Search database file:" > Check the boxes depending on the situation (though "Retrieve Extended Information" is recommended) > Scan
